The efficient provisioning and administration of capabilities and attributes in a system or group of systems is a significant challenge faced by many modern organizations. Modern organizations often utilize numerous computer applications, each of which typically enforce business rules, enable the processing of numerous business functions, and model multiple organizational and/or hierarchical structures. Users in the system may have different levels of access, different capabilities and different relationships to the other users and Groups in the organization depending on the particular system or module being accessed. For instance, a typical school system may have separate methods or computer applications to record information about students, organize and define classes, order supplies, track assets, plan and track curriculum, as well as a web site portal to communicate with parents and the community.
To reflect organizational reality, computer systems and automated methods enable functionality to define Groups that reflect the organization's hierarchical and/or functional grouping users in this manner, a system manages the users' attributes and capabilities centrally, at the Group level. The concept of a Group also provides increased flexibility and efficiency because the construct is usually implemented to allow Groups to be members of other Groups. A single Group is often used to combine two or more other Groups, thereby enabling organizations to model sub- or super-Groups. For instance, in a typical school organization, the science Group may include the sub-Groups biology, chemistry and physics departments, while the science Group itself may be part of a super-Group that includes all the science Groups for every school in the school district.
In addition to Groups, a Role can be used to combine one or more capabilities or attributes. Generally, a member of any organization is afforded a level of access or authority within an organization in order to perform assigned Roles, whether the Roles are trivial, administrative or authoritative in nature. A number of commercial and proprietary software tools have been developed to help organizations manage employees and employee Roles. Companies often use simple databases to record information relating to an employee for use by Human Resources, Payroll, and Management. As such, an employee is able to perform designated functions for the company in accordance with the recorded duties and responsibilities.
There is a need to separate the Group and Role entities; this allows the desired relationships to be expressed directly. Existing methods only allow Groups to own a Role. A strong need exists to allow multiple Roles to be combined to form a higher level Role, thereby adding a level of sophistication that enables more logical modeling of a real life organization. Closer modeling of the underlying organizational structure provides more efficient and intuitive configuration and ongoing maintenance of the system. Moreover, existing technology does not provide for separate ownership and usage of a Role. A need exists to increase the functionality of such systems by decoupling the ownership of (or ultimate authority over) a Role from the usage of (or ability to execute the capabilities of) a Role.
Although system design schemes allow for both Groups and Roles constructs, there is a need to provide richer functionality by increasing the flexibility of these constructs. In typical Role-based systems, one relationship, i.e. membership in the Group, is used to express two different concepts. That is, Groups are used to express both true membership and to aggregate permissions. Moreover, existing technologies only use Roles for permissions and privileges and treat Roles as attributes to be shared among a Group of users, not as a concept that can also be used to assist in characterizing properties for a single individual. There is a need to allow essentially any attribute to be captured in a Role.
The typical school organization provides a useful illustration of the Groups and Roles concept. In a school organization, the Principal may be the only person with authority to approve disciplinary actions against students. This scenario illustrates the need for more flexible use of Roles. Groups have members, Roles have users. The intent and meaning of the relationship is different for the two cases. Membership in a Group could be used to imply that a user is allowed a certain privilege, using a Role expresses that relationship explicitly. If the capabilities of a Principal as a Group and instead of being associated directly to the Principal's Login-ID, the Role would be difficult to transfer. A need exists for using a Role in this situation to allow the authority to be easily transferred to a new principal when needed or even transferred to the vice principal temporarily while the principal is on vacation.
Computing environments have modeled a limited set of societal entities, with each environment representing a small subset of the known societal entities. In one example, environments commonly referred to as “social networking” represent a single Role of a Login-ID, as well as a set of roles with a common interest, commonly called a “Group.” However, these Groups cannot own Roles, nor do they typically own content of their own. Groups simply give a collection of Roles a single label for easy reference, e.g. as a member of one or more groups. In such computing environments, the content of each Group is kept separate, but is shared within the Group. However, the opportunity for interaction within the environment is extremely limited, typically only with other Group members. Therefore, there is a need for increased functionality to enable a system to recognize that societal entities are not monolithic and that there are more kinds of relationships than have previously been modeled.